---
page_title: "cloudflare_teams_rule Resource - Cloudflare"
subcategory: ""
description: |-
  Provides a Cloudflare Teams rule resource. Teams rules comprise secure web gateway policies.
---

# cloudflare_teams_rule (Resource)

Provides a Cloudflare Teams rule resource. Teams rules comprise secure web gateway policies.

## Example Usage

```terraform
resource "cloudflare_teams_rule" "example" {
  account_id  = "f037e56e89293a057740de681ac9abbe"
  name        = "office"
  description = "desc"
  precedence  = 1
  action      = "block"
  filters     = ["http"]
  traffic     = "http.request.uri == \"https://www.example.com/malicious\""
  rule_settings {
    block_page_enabled = true
    block_page_reason  = "access not permitted"
  }
}
```
<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `account_id` (String) The account identifier to target for the resource.
- `action` (String) The action executed by matched teams rule. Available values: `allow`, `block`, `safesearch`, `ytrestricted`, `on`, `off`, `scan`, `noscan`, `isolate`, `noisolate`, `override`, `l4_override`, `egress`, `audit_ssh`.
- `description` (String) The description of the teams rule.
- `name` (String) The name of the teams rule.
- `precedence` (Number) The evaluation precedence of the teams rule.

### Optional

- `device_posture` (String) The wirefilter expression to be used for device_posture check matching.
- `enabled` (Boolean) Indicator of rule enablement.
- `filters` (List of String) The protocol or layer to evaluate the traffic and identity expressions.
- `identity` (String) The wirefilter expression to be used for identity matching.
- `rule_settings` (Block List, Max: 1) Additional rule settings. (see [below for nested schema](#nestedblock--rule_settings))
- `traffic` (String) The wirefilter expression to be used for traffic matching.

### Read-Only

- `id` (String) The ID of this resource.
- `version` (Number)

<a id="nestedblock--rule_settings"></a>
### Nested Schema for `rule_settings`

Optional:

- `add_headers` (Map of String) Add custom headers to allowed requests in the form of key-value pairs.
- `allow_child_bypass` (Boolean) Allow parent MSP accounts to enable bypass their children's rules.
- `audit_ssh` (Block List, Max: 1) Settings for auditing SSH usage. (see [below for nested schema](#nestedblock--rule_settings--audit_ssh))
- `biso_admin_controls` (Block List, Max: 1) Configure how browser isolation behaves. (see [below for nested schema](#nestedblock--rule_settings--biso_admin_controls))
- `block_page_enabled` (Boolean) Indicator of block page enablement.
- `block_page_reason` (String) The displayed reason for a user being blocked.
- `bypass_parent_rule` (Boolean) Allow child MSP accounts to bypass their parent's rule.
- `check_session` (Block List, Max: 1) Configure how session check behaves. (see [below for nested schema](#nestedblock--rule_settings--check_session))
- `egress` (Block List, Max: 1) Configure how Proxy traffic egresses. Can be set for rules with Egress action and Egress filter. Can be omitted to indicate local egress via Warp IPs. (see [below for nested schema](#nestedblock--rule_settings--egress))
- `insecure_disable_dnssec_validation` (Boolean) Disable DNSSEC validation (must be Allow rule).
- `ip_categories` (Boolean) Turns on IP category based filter on dns if the rule contains dns category checks.
- `l4override` (Block List, Max: 1) Settings to forward layer 4 traffic. (see [below for nested schema](#nestedblock--rule_settings--l4override))
- `notification_settings` (Block List, Max: 1) Notification settings on a block rule. (see [below for nested schema](#nestedblock--rule_settings--notification_settings))
- `override_host` (String) The host to override matching DNS queries with.
- `override_ips` (List of String) The IPs to override matching DNS queries with.
- `payload_log` (Block List, Max: 1) Configure DLP Payload Logging settings for this rule. (see [below for nested schema](#nestedblock--rule_settings--payload_log))
- `untrusted_cert` (Block List, Max: 1) Configure untrusted certificate settings for this rule. (see [below for nested schema](#nestedblock--rule_settings--untrusted_cert))

<a id="nestedblock--rule_settings--audit_ssh"></a>
### Nested Schema for `rule_settings.audit_ssh`

Required:

- `command_logging` (Boolean) Log all SSH commands.


<a id="nestedblock--rule_settings--biso_admin_controls"></a>
### Nested Schema for `rule_settings.biso_admin_controls`

Optional:

- `disable_copy_paste` (Boolean) Disable copy-paste.
- `disable_download` (Boolean) Disable download.
- `disable_keyboard` (Boolean) Disable keyboard usage.
- `disable_printing` (Boolean) Disable printing.
- `disable_upload` (Boolean) Disable upload.


<a id="nestedblock--rule_settings--check_session"></a>
### Nested Schema for `rule_settings.check_session`

Required:

- `duration` (String) Configure how fresh the session needs to be to be considered valid.
- `enforce` (Boolean) Enable session enforcement for this rule.


<a id="nestedblock--rule_settings--egress"></a>
### Nested Schema for `rule_settings.egress`

Required:

- `ipv4` (String) The IPv4 address to be used for egress.
- `ipv6` (String) The IPv6 range to be used for egress.

Optional:

- `ipv4_fallback` (String) The IPv4 address to be used for egress in the event of an error egressing with the primary IPv4. Can be '0.0.0.0' to indicate local egreass via Warp IPs.


<a id="nestedblock--rule_settings--l4override"></a>
### Nested Schema for `rule_settings.l4override`

Required:

- `ip` (String) Override IP to forward traffic to.
- `port` (Number) Override Port to forward traffic to.


<a id="nestedblock--rule_settings--notification_settings"></a>
### Nested Schema for `rule_settings.notification_settings`

Optional:

- `enabled` (Boolean) Enable notification settings.
- `message` (String) Notification content.
- `support_url` (String) Support URL to show in the notification.


<a id="nestedblock--rule_settings--payload_log"></a>
### Nested Schema for `rule_settings.payload_log`

Required:

- `enabled` (Boolean) Enable or disable DLP Payload Logging for this rule.


<a id="nestedblock--rule_settings--untrusted_cert"></a>
### Nested Schema for `rule_settings.untrusted_cert`

Optional:

- `action` (String) Action to be taken when the SSL certificate of upstream is invalid. Available values: `pass_through`, `block`, `error`.

## Import

Import is supported using the following syntax:

```shell
$ terraform import cloudflare_teams_rule.example <account_id>/<teams_rule_id>
```
